[Freeipa-users] Read-only access to enforce OTP
Martin Kosek
mkosek at redhat.com
Thu Jun 16 14:18:15 UTC 2016
On 06/16/2016 11:00 AM, Prashant Bapat wrote:
> Hi,
>
> I'm writing a small script which will scan all the users and check if each one
> has setup an OTP. It will send out an email to the user if OTP is missing.
>
> I added a new entry / uid=otp-check-ro,cn=sysaccounts,cn=etc,dc=example,dc=com/.
> Problem is I'm able to read all the users attributes but not able to read
> anything under /cn=otp,dc=example,dc=com/ tree.
>
> What are the permissions or ACI I need to add to give read-only access to this user?
>
> Thanks.
> --Prashant
>
>
>
I would recommend creating read permission for the tree & attribute/objects you
need to allow. Doc is here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html#creating-perms-cli
You cannot apply this permission to system user with API, you would need to use
ldapmodify and add the right membership. But you could create service account
(service-add), create keytab for the authentication and then assign it a role
that has a privilege that has your permission. I hope that makes sense.
Martin
More information about the Freeipa-users
mailing list